Everett Collection | Shutterstock

Matt Kelly compares potential SEC requirements that CISOs attest to the effectiveness of their cybersecurity, with the financial certifications already required of CEOs and CFOs by the Sarbanes-Oxley Act. Kelly notes that current regulatory proposals circling around the SEC fall well short of the criminal penalties of SOX, which may lead some business leaders not to take them seriously. But he argues that the kinds of assurances already demanded by others, such as the certifications required by the state of New York, and the documentation required by cyber insurance firms, bring companies close to already meeting such hypothetical requirements, and it might be easier to just go ahead and do it.

Source: